Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Primary rating from Vendor (palo_alto) · only source for this CVE.
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Lifecycle Timeline
5DescriptionCVE.org
A stored cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface.
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW and Prisma® Access are not impacted by this vulnerability.
AnalysisAI
Stored cross-site scripting in Palo Alto Networks PAN-OS® web interface allows a malicious authenticated administrator to inject persistent JavaScript payloads that execute in the browsers of other users who view the affected pages. Affected deployments include PA-Series and VM-Series firewalls and Panorama (virtual and M-Series) running PAN-OS 10.2.x, 11.1.x, 11.2.x, and 12.1.x branches. No active exploitation is confirmed - EPSS stands at 0.04% (13th percentile), SSVC exploitation status is 'none', and no public exploit code has been identified at time of analysis. Vendor-released patches are available for all affected branches.
Technical ContextAI
This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation - 'Cross-site Scripting'), specifically the stored variant, meaning attacker-supplied JavaScript is persisted server-side and served to subsequent users who load the affected page. The affected surface is the PAN-OS web management interface, which administrators use to configure firewall policy, network settings, and device management. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:P) confirms the attack originates over the network, requires no complex conditions, but demands high-privilege credentials and passive victim interaction. CPE data nominally includes cpe:2.3:a:palo_alto_networks:cloud_ngfw and cpe:2.3:a:palo_alto_networks:prisma_access, but the vendor description explicitly excludes both products from impact - this CPE inclusion appears to be a data entry artifact and should not be used as a basis for triaging those platforms.
RemediationAI
Upgrade to one of the following vendor-patched releases based on the currently running branch: PAN-OS 10.2.18-h6 or later, PAN-OS 11.1.15 or later, PAN-OS 11.2.12 or later, or PAN-OS 12.1.7 or later. Full guidance is available in the Palo Alto Networks security advisory at https://security.paloaltonetworks.com/CVE-2026-0256. If immediate patching is not feasible, restrict access to the PAN-OS web management interface to trusted administrative workstations only via management access policies and dedicated out-of-band management networks, reducing the pool of potential victim users who could trigger the stored payload. Note that restricting UI access does not prevent a malicious insider admin from storing a payload - it only limits the blast radius. Multi-admin environments with strict role-based access control should audit which accounts have web UI access and enforce the principle of least privilege across administrative tiers.
More in Cloud Ngfw
View allAuthentication bypass in Palo Alto Networks PAN-OS allows unauthenticated network attackers to circumvent authentication
Heap-based buffer overflow in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS allows unauthenticated
Remote code execution and denial-of-service in Palo Alto Networks PAN-OS software stems from a buffer overflow in the IK
Denial of service conditions in Palo Alto Networks PAN-OS allow unauthenticated network attackers to crash firewall data
Multiple denial-of-service conditions in Palo Alto Networks PAN-OS allow unauthenticated remote attackers to crash or de
Command injection in Palo Alto Networks PAN-OS enables an authenticated administrator to escape system-enforced restrict
Multiple command injection vulnerabilities in Palo Alto Networks PAN-OS allow an authenticated administrator to escape s
Privilege escalation in Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances allows an
Server-side request forgery in the IKEv2 implementation of Palo Alto Networks PAN-OS allows unauthenticated remote attac
Memory corruption in PAN-OS tunnel traffic processing allows an authenticated, adjacent-network attacker to force the fi
Stored cross-site scripting in Palo Alto Networks PAN-OS allows a malicious authenticated administrator to persist a Jav
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30103
GHSA-q845-rv2h-x553